Observer+

SMRT Feedback tracks down Person of Interest in Singhealth hack

The Singhealth database breach may have happened earlier than thought.

Singapore hacker vigilante group, SMRT Feedback, has named a Person of Interest (POI) involved in the Singhealth hack.

In an email statement to Observer+ today (Jul 28), the online vigilantes presented evidence that points towards suspicious activity from an individual’s account who is employed in an IT firm that is allegedly contracted by Singhealth.

SMRT Feedback, however, said that the POI is not necessarily a suspect implicit in Singhealth’s database breach and that the POI himself may have been a victim.

The evidence put forth by SMRT Feedback points towards a database log, or more specifically, a ‘Java stack trace’ dated May 24th, 2018, which may suggest that the Singhealth hack occurred earlier than thought. The current official statement is that the breach happened between June 27 to July 4, 2018.

SCREENSHOT OF LOG

See full log at the end of this article.

WHAT THE LOG TELLS US

The log above shows that a command was made to delegate access control of Singhealth’s database named “SHHQ” from a senior officer in Singhealth to an employee of an IT Contractor.

The IT contractor in the log is shown to be CTC Global Pte Ltd which is based in Singapore and a wholly-owned subsidiary of ITOCHU Techno-Solutions Corporation, a Japanese technology firm.

The employee is an outsourced IT Analyst based in Chennai, India.

As investigations are ongoing, SMRT Feedback has refrained from revealing the names of the Singhealth officer and the IT Analyst to protect their identities.

EVIDENCE MAY NOT BE CONCLUSIVE

SMRT Feedback did not mention how they got the logs, but they added that the evidence should be looked upon at all angles, including the possibility that the logs were just routine maintenance by the analyst.

To support the theory of routine maintenance, SMRT Feedback points us to this website where the logs were posted to show an unidentified developer asking questions about database errors.

The timing of the log and the subsequent database breach that happened shortly after is the reason why SMRT Feedback considers this a matter of interest.

It is also interesting to note that if the POI had indeed be granted access control to the database, he would have elevated privileges to extract and modify any records found in the database, including personal details of Singhealth’s patients.

Singhealth has previously stated that the personally-identifiable data of patients were not found to be modified.

It is not known at this stage if SMRT Feedback has shared their findings with the authorities.